Field Notice: uBR9x5 and CVA122 Using DOCSIS 1.1 May Fail to Come Online Due to Incorrect Privacy Certificates (BPI+)

June 4, 2004

Products Affected

Product

uBR9x5

CVA122

Problem Description

For full DOCSIS 1.1 support, the routers must contain valid DOCSIS certificates in non-volatile memory.

Some cable modem routers were produced when the DOCSIS 1.1 specification was still being finalized, and the certificates in these routers do not conform to the requirements in the final specification. This may cause the router to fail to come online when Baseline Privacy Interface Plus (BPI+) is used under DOCSIS 1.1 code.

Some routers were produced when the DOCSIS 1.1 specification was still being finalized, and the certificates in these routers do not conform to the requirements in the final specification. Cisco has produced valid certificates for these routers, which can be downloaded to the routers using the procedures given in this document and detailed on the CD-ROM.

Problem Symptoms

The router/modem fails to come online when BPI+ is enabled in the DOCSIS 1.1 configuration file, but will successfully come online when BPI+ is disabled.

If the router/modem has already been upgraded to Cisco IOS Release 12.2(15)CZ, or later version of DOCSIS 1.1 code, attempts to upgrade the software image through the DOCSIS configuration file will also fail.

Workaround/Solution

A CD-ROM has been produced with the needed software and certificates to perform the upgrade procedure that is detailed here. The CD-ROM has comprehensive documentation and web pointers that offer detailed information on the upgrade procedure and related documents that address concerns when moving to DOCSIS 1.1 generally. The CD-ROM is a no-charge orderable part with the following product name and ID:

Product Name: DOCSIS 1.1 Certificate Upgrade Disc

Product ID: UBR/CVA-CERT-UPG

The upgrade procedure performs the following steps:

A DOCSIS configuration file is created that specifies that the router should load a new software image and upgrade the certificates. The DOCSIS configuration file and certificates are loaded on a TFTP server that is accessible to the router.

The router is reloaded and downloads the new DOCSIS configuration file, which forces the router to download the appropriate Cisco IOS Release 12.2(15)CZ software image. The router ignores the commands to upgrade the certificates at this point because the software images previous to Cisco IOS Release 12.2(15)CZ do not support them.

The router reloads and boots the Release 12.2(15)CZ image. When the router downloads the new DOCSIS configuration file again, it executes the commands to upgrade the certificates. After the router downloads the new certificates, it reloads a second time.

The router reboots with the Release 12.2(15)CZ image and valid DOCSIS 1.1 certificates. At this point, it can download a new configuration file that specifies normal operations.

This procedure can be used to upgrade all Cisco uBR905/uBR925 cable access routers and Cisco CVA122 Cable Voice Adapters for DOCSIS 1.1 operations. If the router already has a valid certificate, it will ignore the commands to upgrade the certificate and will download only the Cisco IOS Release 12.2(15)CZ software image for DOCSIS 1.1 support.

Note: This procedure updates only the public BPI+ certificates on the router/modem. It does not change the private keys or private certificates, which are written in a protected memory area that cannot be read or changed by users.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: